Software-update: OPNsense 26.1.11
Het pakket OPNsense is een firewall met uitgebreide mogelijkheden. Het is gebaseerd op het besturingssysteem FreeBSD en is oorspronkelijk een fork van m0n0wall en pfSense. Het pakket kan volledig via een webinterface worden ingesteld en heeft onder andere ondersteuning voor mfa, OpenVPN, IPsec, CARP en captive portal. Daarnaast kan het packetfiltering toepassen en beschikt het over een traffic shaper. De ontwikkelaars achter OPNsense hebben de elfde update voor versie 26.1 uitgebracht en de releasenotes voor die uitgave kunnen hieronder worden gevonden.
OPNsense 26.1.11 releasedBack already with a bag of security advisories also for FreeBSD which came out just yesterday. We highly appreciate the increased amount of reports we are getting for the core code and we are working through them, but need to improve our process and guidelines somewhat in order to make more sense of the result for all of you. This will probably take additional effort after 26.7 is out.
Note that this update brings the outbound to source NAT migration page, but it is only a formality as outbound NAT will stay in 26.7 although the legacy firewall rules page will move to a plugin during the major upgrade. It is the same process that was employed with ISC-DHCP. Due to this addition, however, the source NAT rules entered in the system will no longer work unless the mode is set to either "manual" or "hybrid".
Here are the full patch notes:system: configuration line injection via multiple GUI text fieldssystem: add missing legacy_html_escape_form_data() for $a_cert on administration settingssystem: lockout: address newline injection and correct IP parsingsystem: add "local_uri" type in SanitizeFilter() and use it to avoid hardcodingsystem: several compatible adjustments for upcoming PHP 8.5system: fix ACL pattern for carp_status action (contributed by Etienne Girault)system: enhance live log widget (contributed by Greelan)firewall: safeguard ISO country codes in alias downloadfirewall: escape user-controlled values in tooltip attributesfirewall: add the same new rules GUI design to the MVC NAT pagesfirewall: add CSV download/upload to MVC NAT pagesfirewall: add migration for outbound NAT into source NAT pagefirewall: destination NAT: display effective port when local-port is omittedfirewall: source NAT: allow empty target which means the interface addressfirewall: source NAT: skip rendering rules when mode is not advanced/manual or hybridfirewall: improve performance on MVC pages using virtualDOMfirewall: allow WAN as "associated interface" for NPTv6 when prefix ID is setfirewall: fix TypeError on alias getItem() with unknown UUID (contributed by haxorton)firewall: unify group names of OpenVPN, WireGuard and IPsec encapsulationfirewall: show rule counts that can be exported and hide tab if no rules existfirewall: improve interface filter logic to include floating rules with multiple interfaces when they overlap with at least one interface in the interface filter requestfirewall: add validations for "No RDR" option to prevent target and local-port being setfirewall: skip alias on new rules GUI applyinterfaces: prohibit the use of advanced DHCP option settings by non-administratorsinterfaces: properly format API times to ISO format and convert timezone for display in automatic discoverycaptive portal: pass in ip_address as a set for accountingfirmware: fix small glitch that re-prompts for showing community pluginskea: add widget to show DHCP leaseskea: simplify model option valuesmonit: use throwNotFullAdmin() to restrict monit GUI write access to full admins due to intended system wide execution rightsnetwork time: fix stored XSS in GPS init string displayopenvpn: prevent path traversal in "common_name" attributeopenvpn: escape client common_name in connection-status viewsopenvpn: simplify model option valuesmvc: checkAndThrowValueInUse validate input token which may only contain alphanum and dashesmvc: guard BaseField::setNodes() against a list given for a scalar leaf (contributed by haxorton)mvc: DescriptionField: disable special and newline charactersmvc: FileObject: fix exception bug (contributed by Greelan)mvc: also do not translate empty labels in gridsmvc: give throwReadOnly() a sibling named throwNotFullAdmin()mvc: use camelCase for carp_status actionui: bootgrid: minor optimizationsui: add generic escaping function htmlSafe() for JavaScriptplugins: os-cloudflared 1.1plugins: os-freeradius 1.10.2plugins: os-vnstat 1.4src: vm: use-after-free in device pager page listsrc: execve: local privilege escalation via execve(2) TOCTOU racesrc: openzfs: multiple vulnerabilities in OpenZFSsrc: libalias: bffer overflow in libalias RTSP handlersrc: unlinkat: unlinkat(2) ignores AT_RESOLVE_BENEATH flagsrc: tcp: use-after-free in TCP RACK stack option handlersrc: posixshm: multiple vulnerabilities in POSIX largepage objectssrc: audit: incorrect audit records for ptrace(2) syscall requestssrc: ktls: remote DOS via uninitialized memory access in KTLS receivesrc: linux: kernel stack disclosure in Linux compatibility layersrc: iconf: multiple vulnerabilities in iconv(3)ports: curl 8.21.0ports: expat 2.8.2ports: ldns 1.9.2ports: lighttpd 1.4.84ports: phalcon 5.16.0ports: py-duckdb 1.5.4ports: syslog-ng 4.12.0
system: configuration line injection via multiple GUI text fieldssystem: add missing legacy_html_escape_form_data() for $a_cert on administration settingssystem: lockout: address newline injection and correct IP parsingsystem: add "local_uri" type in SanitizeFilter() and use it to avoid hardcodingsystem: several compatible adjustments for upcoming PHP 8.5system: fix ACL pattern for carp_status action (contributed by Etienne Girault)system: enhance live log widget (contributed by Greelan)firewall: safeguard ISO country codes in alias downloadfirewall: escape user-controlled values in tooltip attributesfirewall: add the same new rules GUI design to the MVC NAT pagesfirewall: add CSV download/upload to MVC NAT pagesfirewall: add migration for outbound NAT into source NAT pagefirewall: destination NAT: display effective port when local-port is omittedfirewall: source NAT: allow empty target which means the interface addressfirewall: source NAT: skip rendering rules when mode is not advanced/manual or hybridfirewall: improve performance on MVC pages using virtualDOMfirewall: allow WAN as "associated interface" for NPTv6 when prefix ID is setfirewall: fix TypeError on alias getItem() with unknown UUID (contributed by haxorton)firewall: unify group names of OpenVPN, WireGuard and IPsec encapsulationfirewall: show rule counts that can be exported and hide tab if no rules existfirewall: improve interface filter logic to include floating rules with multiple interfaces when they overlap with at least one interface in the interface filter requestfirewall: add validations for "No RDR" option to prevent target and local-port being setfirewall: skip alias on new rules GUI applyinterfaces: prohibit the use of advanced DHCP option settings by non-administratorsinterfaces: properly format API times to ISO format and convert timezone for display in automatic discoverycaptive portal: pass in ip_address as a set for accountingfirmware: fix small glitch that re-prompts for showing community pluginskea: add widget to show DHCP leaseskea: simplify model option valuesmonit: use throwNotFullAdmin() to restrict monit GUI write access to full admins due to intended system wide execution rightsnetwork time: fix stored XSS in GPS init string displayopenvpn: prevent path traversal in "common_name" attributeopenvpn: escape client common_name in connection-status viewsopenvpn: simplify model option valuesmvc: checkAndThrowValueInUse validate input token which may only contain alphanum and dashesmvc: guard BaseField::setNodes() against a list given for a scalar leaf (contributed by haxorton)mvc: DescriptionField: disable special and newline charactersmvc: FileObject: fix exception bug (contributed by Greelan)mvc: also do not translate empty labels in gridsmvc: give throwReadOnly() a sibling named throwNotFullAdmin()mvc: use camelCase for carp_status actionui: bootgrid: minor optimizationsui: add generic escaping function htmlSafe() for JavaScriptplugins: os-cloudflared 1.1plugins: os-freeradius 1.10.2plugins: os-vnstat 1.4src: vm: use-after-free in device pager page listsrc: execve: local privilege escalation via execve(2) TOCTOU racesrc: openzfs: multiple vulnerabilities in OpenZFSsrc: libalias: bffer overflow in libalias RTSP handlersrc: unlinkat: unlinkat(2) ignores AT_RESOLVE_BENEATH flagsrc: tcp: use-after-free in TCP RACK stack option handlersrc: posixshm: multiple vulnerabilities in POSIX largepage objectssrc: audit: incorrect audit records for ptrace(2) syscall requestssrc: ktls: remote DOS via uninitialized memory access in KTLS receivesrc: linux: kernel stack disclosure in Linux compatibility layersrc: iconf: multiple vulnerabilities in iconv(3)ports: curl 8.21.0ports: expat 2.8.2ports: ldns 1.9.2ports: lighttpd 1.4.84ports: phalcon 5.16.0ports: py-duckdb 1.5.4ports: syslog-ng 4.12.0
Source:
Tweakers.net